[Git][security-tracker-team/security-tracker][master] 7 commits: Triage CVE-2024-37568 in python-authlib for bullseye LTS.

Chris Lamb (@lamby) lamby at debian.org
Fri Sep 6 12:43:16 BST 2024 


Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2ffb5639 by Chris Lamb at 2024-09-06T12:37:35+01:00
Triage CVE-2024-37568 in python-authlib for bullseye LTS.

- - - - -
462a2938 by Chris Lamb at 2024-09-06T12:37:58+01:00
Triage CVE-2024-45310 in runc for bullseye LTS.

- - - - -
3d175128 by Chris Lamb at 2024-09-06T12:38:17+01:00
Triage CVE-2024-42040 in u-boot for bullseye LTS.

- - - - -
f3d4b8ef by Chris Lamb at 2024-09-06T12:39:48+01:00
data/dla-needed.txt: Triage frr for bullseye LTS (CVE-2023-41909)

- - - - -
5f5e97c8 by Chris Lamb at 2024-09-06T12:40:42+01:00
data/dla-needed.txt: Triage python-jwcrypto for bullseye LTS (CVE-2024-28102)

- - - - -
ccc54b13 by Chris Lamb at 2024-09-06T12:40:55+01:00
data/dla-needed.txt: Claim python-jwcrypto.

- - - - -
2f271025 by Chris Lamb at 2024-09-06T12:42:25+01:00
Actually mark CVE-2021-3420 in newlib as ignored, not no-dsa, for bullseye LTS.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -902,6 +902,7 @@ CVE-2024-45615 (A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 modul
 CVE-2024-45310 (runc is a CLI tool for spawning and running containers according to th ...)
 	- runc <unfixed>
 	[bookworm] - runc <no-dsa> (Minor issue)
+	[bullseye] - runc <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://www.openwall.com/lists/oss-security/2024/09/03/1
 	NOTE: https://github.com/opencontainers/runc/security/advisories/GHSA-jfvp-7x6p-h2pv
 CVE-2024-8004 (A stored Cross-site Scripting (XSS) vulnerability affecting ENOVIA Col ...)
@@ -2436,6 +2437,7 @@ CVE-2024-42364 (Homepage is a highly customizable homepage with Docker and servi
 CVE-2024-42040 (Buffer Overflow vulnerability in the net/bootp.c in DENEX U-Boot from  ...)
 	- u-boot <unfixed>
 	[bookworm] - u-boot <no-dsa> (Minor issue)
+	[bullseye] - u-boot <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2024-004.txt
 CVE-2024-41878 (Adobe Experience Manager versions 6.5.19 and earlier are affected by a ...)
 	NOT-FOR-US: Adobe
@@ -21820,6 +21822,7 @@ CVE-2024-37569 (An issue was discovered on Mitel 6869i through 4.5.0.41 and 5.x
 CVE-2024-37568 (lepture Authlib before 1.3.1 has algorithm confusion with asymmetric p ...)
 	- python-authlib 1.3.1-1
 	[bookworm] - python-authlib <no-dsa> (Minor issue)
+	[bullseye] - python-authlib <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://github.com/lepture/authlib/issues/654
 	NOTE: https://github.com/lepture/authlib/commit/3bea812acefebc9ee108aa24557be3ba8971daf1 (v1.3.1)
 CVE-2024-35748 (Missing Authorization vulnerability in OPMC WooCommerce Dropshipping.T ...)
@@ -265650,7 +265653,7 @@ CVE-2021-3420 (A flaw was found in newlib in versions prior to 4.0.0. Improper o
 	[experimental] - newlib 4.4.0.20231231-1
 	- newlib 4.4.0.20231231-2 (bug #984446)
 	[bookworm] - newlib 3.3.0-1.3+deb12u1
-	[bullseye] - newlib <no-dsa> (Minor issue)
+	[bullseye] - newlib <ignored> (Minor issue)
 	[buster] - newlib <no-dsa> (Minor issue)
 	[stretch] - newlib <no-dsa> (Minor issue)
 	- picolibc 1.5-1


=====================================
data/dla-needed.txt
=====================================
@@ -83,6 +83,10 @@ flatpak
   NOTE: 20240814: Added by oldstable Security Team (carnil)
   NOTE: 20240815: Follow fixes from DSA-5749-1 (CVE-2024-42472) (Beuc/front-desk)
 --
+frr
+  NOTE: 20240906: Added by Front-Desk (lamby)
+  NOTE: 20240906: NB. There was a recent update, DLA-3865, @ Tue Sep 3 06:55:29 2024 +0200 (lamby)
+--
 ghostscript (abhijith)
   NOTE: 20240718: Added by oldstable Security Team (carnil)
   NOTE: 20240815: A bookworm DSA is planned
@@ -157,6 +161,9 @@ python-git
   NOTE: 20240815: Added by Front-Desk (Beuc)
   NOTE: 20240815: Follow fixes from buster DLA-3589-1, buster DLA-3502-1 and bookworm 12.2 (3 CVEs) (Beuc/front-desk)
 --
+python-jwcrypto (Chris Lamb)
+  NOTE: 20240906: Added by Front-Desk (lamby)
+--
 python-reportlab
   NOTE: 20240807: Added by oldstable Security Team (jmm)
   NOTE: 20240815: A bookworm DSA is planned (Beuc/front-desk)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/50aa7b9719be6fb6638969e632b09ea241d1b8cc...2f2710257ce99eb64ed6992fe889201c578e7271

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/50aa7b9719be6fb6638969e632b09ea241d1b8cc...2f2710257ce99eb64ed6992fe889201c578e7271
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240906/80ca5973/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list